There has been some change on the side of MITRE and their CNA handling, as a consequence Debian now only assigns CVE IDs for Debian-specific tools (like dpkg/apt) and Debian-specific vulnerabilities (e.g. if an issue is specific to a Debian patch or to e.g. a custom config/systemd unit) and no longer to all FLOSS packages shipped in Debian :-/

We do have a nice alternative, though: We can request them via https://cveform.mitre.org/ -> "Request a CVE ID". They can be requested and then show up as "RESERVED" on the MITRE site until MITRE is notified of it's publication. Do we have an ETA for the next mediawiki security release?

We do have a nice alternative, though: We can request them via https://cveform.mitre.org/ -> "Request a CVE ID". They can be requested and then show up as "RESERVED" on the MITRE site until MITRE is notified of it's publication.

Thanks for the heads up... "easy!" ;)

We just need to assign one of these categories to them and we can request the CVE's